--- a/doc/PLAN Fri Mar 06 12:46:22 2009 +0000
+++ b/doc/PLAN Fri Mar 06 12:51:07 2009 +0000
@@ -6,10 +6,10 @@
- make mercurial_server.paths module; a function sets a global based on sys.argv[0]
- reduce hg-ssh-wrapper to nothing by moving all functionality into hg-ssh
- same for refresh-auth
+- move most of do-refresh-auth into a module
Todo:
-- move most of do-refresh-auth into a module
- give that module a hook, and call the hook instead of the exe
- abolish refresh-auth shell script and rename do-refresh-auth to refresh-auth
- replace env vars with Python globals
--- a/install Fri Mar 06 12:46:22 2009 +0000
+++ b/install Fri Mar 06 12:51:07 2009 +0000
@@ -13,6 +13,7 @@
src/mercurialserver/changes.py \
src/mercurialserver/access.py \
src/mercurialserver/servelog.py \
+ src/mercurialserver/refreshauth.py \
src/mercurialserver/ruleset.py
install -o root -g root -d /usr/local/lib/mercurial-server/init
install -o root -g root -t /usr/local/lib/mercurial-server/init \
--- a/src/do-refresh-auth Fri Mar 06 12:46:22 2009 +0000
+++ b/src/do-refresh-auth Fri Mar 06 12:51:07 2009 +0000
@@ -7,66 +7,10 @@
# WARNING
import sys
-import os
-import os.path
-import pwd
-import subprocess
-from mercurialserver import ruleset, paths
+from mercurialserver import refreshauth
if len(sys.argv) != 1:
sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv)
sys.exit(-1)
-pentry = pwd.getpwuid(os.geteuid())
-if pentry.pw_name != "hg":
- # FIXME: re-execute
- print >>sys.stderr, "Must be run as the 'hg' user"
-
-akeyfile = pentry.pw_dir + "/.ssh/authorized_keys"
-wrappercommand = paths.getEtcPath() + "/hg-ssh-wrapper"
-keydirs = [paths.getEtcPath() + "/keys", pentry.pw_dir + "/repos/hgadmin/keys"]
-prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
-
-if os.path.exists(akeyfile):
- f = open(akeyfile)
- try:
- for l in f:
- if not l.startswith(prefix):
- raise Exception("Safety check failed, delete %s to continue" % akeyfile)
- finally:
- f.close()
-
-akeys = open(akeyfile + "_new", "w")
-for keyroot in keydirs:
- kr = keyroot + "/"
- #print "Processing keyroot", keyroot
- for root, dirs, files in os.walk(keyroot):
- for fn in files:
- ffn = os.path.join(root, fn)
- if not ffn.startswith(kr):
- raise Exception("Inconsistent behaviour in os.walk, bailing")
- #print "Processing file", ffn
- keyname = ffn[len(kr):]
- if not ruleset.goodpath(keyname):
- # ignore any path that contains dodgy characters
- #print "Ignoring file", ffn
- continue
- p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn),
- stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- newkey = p.communicate()[0]
- if p.wait() == 0:
- klines = [l.strip() for l in newkey.split("\n")]
- else:
- # Conversion failed, read it directly.
- kf = open(ffn)
- try:
- klines = [l.strip() for l in kf]
- finally:
- kf.close()
- for l in klines:
- if len(l):
- akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
-
-akeys.close()
-
-os.rename(akeyfile + "_new", akeyfile)
+refreshauth.refreshAuth()
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/mercurialserver/refreshauth.py Fri Mar 06 12:51:07 2009 +0000
@@ -0,0 +1,68 @@
+# Copyright 2008-2009 LShift Ltd
+
+# WARNING
+# This hook completely destroys your ~/.ssh/authorized_keys
+# file every time it is run
+# WARNING
+
+import sys
+import os
+import os.path
+import pwd
+import subprocess
+from mercurialserver import ruleset, paths
+
+def refreshAuth():
+ pentry = pwd.getpwuid(os.geteuid())
+ if pentry.pw_name != "hg":
+ # FIXME: re-execute
+ print >>sys.stderr, "Must be run as the 'hg' user"
+
+ akeyfile = pentry.pw_dir + "/.ssh/authorized_keys"
+ wrappercommand = paths.getEtcPath() + "/hg-ssh-wrapper"
+ keydirs = [paths.getEtcPath() + "/keys", pentry.pw_dir + "/repos/hgadmin/keys"]
+ prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
+
+ if os.path.exists(akeyfile):
+ f = open(akeyfile)
+ try:
+ for l in f:
+ if not l.startswith(prefix):
+ raise Exception("Safety check failed, delete %s to continue" % akeyfile)
+ finally:
+ f.close()
+
+ akeys = open(akeyfile + "_new", "w")
+ for keyroot in keydirs:
+ kr = keyroot + "/"
+ #print "Processing keyroot", keyroot
+ for root, dirs, files in os.walk(keyroot):
+ for fn in files:
+ ffn = os.path.join(root, fn)
+ if not ffn.startswith(kr):
+ raise Exception("Inconsistent behaviour in os.walk, bailing")
+ #print "Processing file", ffn
+ keyname = ffn[len(kr):]
+ if not ruleset.goodpath(keyname):
+ # ignore any path that contains dodgy characters
+ #print "Ignoring file", ffn
+ continue
+ p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn),
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ newkey = p.communicate()[0]
+ if p.wait() == 0:
+ klines = [l.strip() for l in newkey.split("\n")]
+ else:
+ # Conversion failed, read it directly.
+ kf = open(ffn)
+ try:
+ klines = [l.strip() for l in kf]
+ finally:
+ kf.close()
+ for l in klines:
+ if len(l):
+ akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
+
+ akeys.close()
+
+ os.rename(akeyfile + "_new", akeyfile)